Friday, December 11, 2009

FTC Hears Views on Regulation of Online Privacy

This posting appeared in the December 15, 2009 issue of Telecommunications Reports.

One member of the Federal Trade Commission has called for "comprehensive privacy legislation," while the agency's chairman has offered a more measured aspiration for a regulatory approach to online privacy, intended to serve both consumers and companies that track them better than the status quo.

Speaking at the FTC's Dec. 7 privacy roundtable in Washington, FTC Commissioner Pamela Jones Harbour—who noted that her time at the agency is "coming to a close" (her term expired in September)—said that her call for comprehensive legislation was not a disparagement of efforts by Rep. Rick Boucher (D., Va.) for online privacy protections, but that "the privacy debate goes far beyond" online concerns.

"Real change cannot just be aspirational," she observed.

Commissioner Jones Harbour said that for every company taking a good faith approach to a privacy policy, there is another trying to "parse and evade commission guidance." She suggested that the current "turbulent economic times are forcing companies to seek out new sources of income" through the collection and sale of consumer data.

Looking forward, she said, "I know the Commission will continue to be the thought leader on privacy," and pledged to continue to do her part to "push" the FTC on this issue.

“Watershed Moment in Privacy”

Recalling the history of privacy jurisprudence, FTC Chairman Jon Leibowitz said, "We're at another watershed moment in privacy," adding that it is time for the FTC to act. He suggested that among the factors increasing threats to online privacy is the ever-decreasing cost of storing and analyzing data.

Chairman Leibowitz said that, as the agency pursues its privacy proceeding over the next six months, he hopes to "find a way [that is] better for consumers and fairer for companies as well." He noted that "we all know consumers don't read privacy disclosures very well" and suggested that it might be possible "to meet consumer expectations" of privacy in other ways that will work for companies.

He suggested that consideration should be given to how to treat "vulnerable categories of consumers such as children."

The text of the Chairman Leibowitz’s introductory remarks appears here on the FTC website.

Views of Business, Consumer Groups

Richard Smith, a consultant with Boston Software Forensics who made two presentations during the roundtable, echoed Chairman Leibowitz's point about the low cost of data storage, saying, "It actually costs more to delete the information off of drives" than to store it.

Susan Grant, director-consumer protection at the Consumer Federation of America, warned that "if people were to realize that their rights are being violated," their trust and willingness to use online tools such as search engines would be eroded.

Michael Hintze, associate general counsel at Microsoft Corp., called for "a multifaceted approach [to privacy] from the beginning," adding that "anonymization [of data] is important but not a silver bullet." Asked to defend the benefits of wireless location-based services, Mr. Hintze acknowledged that it is "cool." However, he added, "it is one thing to know where your customer is right now; it's another to keep a record of every place they've been for last three years."

David Hoffman, director-security policy and global privacy officer at Intel Corp., said privacy assurances should include limitations on the use and collection of data, as well as limitations on how long the data can be retained. He also advised looking carefully "at any regulations that require companies to maintain data longer than they otherwise would for business purposes," such as for homeland security purposes, because simply retaining the data longer increases the potential for data breaches.

Alessandro Acquisti, an economics professor at Carnegie Mellon University, observed, "There are problems that education and transparency can't address," in part because "privacy costs are often long-term" and it has "been proven over and over that we are very bad at making decisions when benefits are short-term but risk is long-term."

Jules Polenetsky, co-chairman and director of the Future of Privacy Forum, said, "We need a little bit of experimentation and leeway to create a [privacy preferences] feature that will succeed in the marketplace" and that "you need a little bit of room for people to delight users" with new ways of using information.

Peder McGee, a senior attorney in the FTC's Division of Privacy and Identity Protection who co-moderated one of the panels, said that some panelists' proposals for allowing consumers to decide whether to seek out information about a company's privacy policy and use of data "seem[] to put a lot of burden on consumer to find out about things that aren't very transparent."

Telecommunications Reports is published by Telecommunications Reports International, a Division of Aspen Publishers, a Wolters Kluwer Company. Further information about Telecommunications Reports is available here at www.tr.com.